CVE-2024-10535 MEDIUM

CVE-2024-10535: Video Gallery for WooCommerce <= 1.31 - Missing Authorization to Unauthenticated Limited File Deletion

Vendor Nitramix

Product Video Gallery for WooCommerce

Weakness CWE-862 · Missing authorization

Published November 6, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Video Gallery for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the remove_unused_thumbnails() function in all versions up to, and including, 1.31. This makes it possible for unauthenticated attackers to delete thumbnails in the video-wc-gallery-thumb directory.

Key dates

02Disclosure timeline

November 6, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-10535

Related vulnerabilities

04Related CVE

CVE-2026-33759 AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents CVE-2020-25711 CVE-2024-12821 Media Manager for UserPro <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update CVE-2026-32527 WordPress WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin <= 1.1.5 - Broken Access Control vulnerability CVE-2025-30817 WordPress Z Companion plugin <= 1.0.13 - Broken Access Control vulnerability